Letter to FBI Urging Review of NGI Database

The FBI has been developing a massive biometric database called the the Next Generation Identification System (NGI). The system, however, has not undergone a privacy review back since 2008 and now poses a raises serious privacy and civil liberties concerns for every American

The FBI has been developing a massive biometric database called the the Next Generation Identification System (NGI). The system, however, has not undergone a privacy review back since 2008 and now poses a raises serious privacy and civil liberties concerns for every American

Dear Attorney General Holder, We write today to urge the Department of Justice (DOJ) to quickly complete an updated Privacy Impact Assessment (PIA) for the Federal Bureau of Investigation’s Next Generation Identification System (NGI) as part of a broader effort to examine the goals and impact of NGI. The previous PIA on NGI’s face recognition component dates back to 2008.

1

Since that time the program has undergone a radical transformation—one that raises serious privacy and civil liberties concerns. The FBI recognizes this transformation and, at a July 2012 Senate hearing, committed to updating its privacy assessment of the agency’s use of facial recognition.

2

Jerome Pender, Deputy Assistant Director of the FBI’s Criminal Justice Information Service Division, stated in his statement for the record that “[a]n updated PIA is planned and will address all evolutionary changes since the preparation of the 2008 IPS PIA.”

3

Furthermore, Assistant Director Pender said the updated privacy assessment would have “an emphasis on Facial Recognition.”

4

Nearly two years later an updated privacy assessment has not been completed.

5

PIAs are an important check against the encroachment on privacy by the government. They allow the public to see how new programs and technology utilized by the government affect their privacy and assess whether the government has done enough to mitigate the privacy risks. As the DOJ’s own guidelines on PIAs explains, “[t]he PIA also gives the public notice of this analysis

2 and helps promote trust between the public and the Department by increasing transparency of the Department's systems and missions.”

6

The PIA, as the DOJ’s guidelines state, is not optional: A PIA is an analysis required by the E-Government Act of how information in identifiable form is handled to ensure compliance with applicable legal, regulatory, and policy requirements regarding privacy, to determine the risks and effects of collecting, maintaining, and disseminating such information in an electronic information system, and to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

7

Additionally, PIAs should be conducted during the development of any new system “with sufficient lead time to permit final Departmental approval and public website posting on or before the commencement of any system operation (including before any testing or piloting.)”

8

The FBI’s NGI program has instituted multiple pilots using biometric identifiers including facial recognition and iris recognition without completing a proper privacy assessment.

9

And despite the fact that FBI has so far failed to produce a PIA for NGI, the Bureau has stated it plans for NGI’s face recognition component “to be at Full Operating Capacity (FOC) in fiscal year 2014.”

10

The capacity of the FBI to collect and retain information, even on innocent Americans, has grown exponentially. It is essential for the American public to have a complete picture of

all

the programs and authorities the FBI uses to track our daily lives, and an understanding of how those programs affect our civil rights and civil liberties. The FBI’s NGI system is a massive biometric database that includes iris scans, palm prints, and face recognition. NGI builds on the Integrated Automated Fingerprint Identification System, the FBI’s legacy fingerprint database, which already contains well over 100 million individual records—equal to nearly one third of the U.S. population.

11

NGI combines these biometric data in each individual’s file, linking them to personal and biographic information like name, home address, ID number, immigration status, age, race, etc. This immense database is shared with other federal agencies and with the approximately 18,000 tribal, state and local law enforcement agencies across the United States.

3 The facial recognition component of NGI poses real threats to privacy for all Americans, and could, in the future, allow us to be monitored and tracked in unprecedented ways.

12

NGI will include criminal and non-criminal photos, and the FBI projects that by 2015, the database could include as many as 52 million face images.

13

4.3 million of those would be taken for non-criminal purposes, such as employer background checks. It appears FBI plans to include these non-criminal images every time a law enforcement agency performs a criminal search of the database.

14

According to an FBI study, the quality of images in the database is inconsistent and often of low resolution.

15

Partly for this reason, the FBI doesn’t promise accuracy in its search results. Instead, it ensures only that “the candidate will be returned in the top 50 candidates” 85% of the time “when the true candidate exists in the gallery.”

16

In fact, the overwhelming number of matches will be false. This false-positive risk could result in even greater racial profiling by disproportionately shifting the burden of identification onto certain ethnicities. The false-positive risk can also alter the traditional presumption of innocence in criminal cases by placing more of a burden on the suspect to show he is not who the system identifies him to be. And this is true even if a face recognition system such as NGI offers several results for a search instead of one, because each of the people identified could be brought in for questioning, even if he or she has no relationship to the crime.

17

The use of facial recognition technology allows the government to track Americans on an unprecedented level. Despite FBI statements to the media that NGI will merely be a mug shot database, the Bureau’s plans for its face recognition capabilities are much broader. According to an FBI presentation on facial recognition and identification initiatives at a biometrics conference in 2010, one of the FBI’s goals for NGI is to be able to track people as they move from one location to another.

18

The extensive collection and sharing of biometric data at the local, national, and international level raises significant concerns for Americans. Data accumulation and sharing can be good for solving crimes across jurisdictions or borders, but can also perpetuate racial and ethnic profiling, social stigma, and inaccuracies throughout all systems and can allow for government tracking and surveillance on a level not before possible.